Tonight I tested a Raspberry Pi model B running Raspbian as an OpenVPN-capable router. I used an Apple USB FastEthernet adaptor as the external interface. Results are disappointing. Pushing traffic through the VPN produced 90% CPU usage at about 8 Mbit with the CPU running at 700 MHz (no CPU overclocking). That’s far below what my tests with “openssl speed” produced.
My goal is to produce a low-power router capable of high-speed VPN encryption using OpenVPN, PPTP, and IPsec. Simply routing is easy, but encrypting on the device is another matter.
OpenVPN defaults to using OpenSSL with SHA-1. Using an average network packet of 1K, “openssl speed” indicates that my Pi should out-perform my Buffalo router by about 3 times over:
# Buffalo WZR-HP-G300NH with OpenWRT 10.03.1: root@buffalo:~# openssl speed sha1 type 16 bytes 64 bytes 256 bytes 1024 bytes 2048 bytes sha1 910.96k 2470.68k 4990.85k 6953.07k 7284.12k # Raspberry Pi with Raspbian "wheezy" @ 700 MHz ARM clock: root@routerberrypi:~# openssl speed sha1 type 16 bytes 64 bytes 256 bytes 1024 bytes 2048 bytes sha1 1634.07k 5627.26k 14426.31k 23815.77k 29542.22k
However, it doesn’t. In fact the Buffalo can achieve 12-13 Mbit at 100% CPU usage. My first guess was that that OpenVPN isn’t compiled with hard-float support, unlike OpenSSL itself. However, both binaries are linked to the same hard-float-capable libraries:
root@routerberrypi:~# ldd /usr/sbin/openvpn ... libssl.so.1.0.0 => /usr/lib/arm-linux-gnueabihf/libssl.so.1.0.0 (0xb6dfd000) libcrypto.so.1.0.0 => /usr/lib/arm-linux-gnueabihf/libcrypto.so.1.0.0 (0xb6c9a000) root@routerberrypi:~# ldd /usr/bin/openssl ... libssl.so.1.0.0 => /usr/lib/arm-linux-gnueabihf/libssl.so.1.0.0 (0xb6ebe000) libcrypto.so.1.0.0 => /usr/lib/arm-linux-gnueabihf/libcrypto.so.1.0.0 (0xb6d5b000)
Does anyone know what’s going on?